HPKP

Oh my God, they killed HPKP!

This week Google went ahead and removed support for HTTP Public Key Pinning (HPKP) from Chromium after some initial stumbles. The change was committed and tagged for Chromium 72.0.x and can now be observed by users of Chrome Canary.

HPKP has been deployed

It’s live, prepare to self-destruct in 3..2..1..

HTTP Public Key Pinning (HPKP)

A new HTTP header that allows web host operators to instruct user agents to remember (“pin”) the hosts’ cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. Source: RFC 7469